You know what’s the worst kind of phishing scam? The kind that you can’t simply ignore. Emails supposedly from the government, telling you to make that pending tax-related payment or risk legal action. Emails that look like your school or university sent them, asking you to pay that one tuition fee you missed. Or even a message from your boss or CEO, telling you to transfer them some money “as a favor”.
The problem with emails like this is that they’re impersonating an authority figure, whether it’s the government, your university board, or your boss at work. Those are important people, and ignoring their messages will almost certainly have serious consequences. So you’re forced to look at them, and if it seems convincing enough, you might actually fall for it.
But let’s take a look at CEO fraud. What exactly is it? Can it happen to you? And if it can, what should you do to stop it?
You’re not immune to CEO fraud
A $2.3 billion scam every year is what it is. You might be wondering, “What could possibly make companies lose that much money to a simple email scam?” But you’d be surprised how convincing CEO fraud emails can be.
In 2016, Mattel almost lost $3 million to a phishing attack when a finance executive received an email from the CEO, instructing her to send a payment to one of their vendors in China. But it was only after checking later with the CEO that she realized he’d never sent the email at all. Thankfully, the company worked with law enforcement in China and the US to get their money back a few days later, but that almost never happens with these attacks.
People tend to believe these scams won’t happen to them…until it happens to them. And that’s their biggest mistake: not preparing for CEO fraud.
Phishing scams can not only cost your organization millions of dollars, they can have a lasting impact on the reputation and credibility of your brand. You run the risk of being seen as the company that lost money to an email scam and losing the trust of your customers whose sensitive personal information you store.
Instead of scrambling to do damage control after the fact, it makes a lot more sense to secure your email channels against spear phishing scams like this one. Here are some of the best ways you can ensure that your organization doesn’t become a statistic in the FBI’s report on BEC.
How to prevent CEO fraud: 6 simple steps
- Educate your staff on security
This one is absolutely critical. Members of your workforce—and especially those in finance—need to understand how Business Email Compromise works. And we don’t just mean a boring 2-hour presentation about not writing down your password on a post-it note. You need to train them on how to look out for suspicious signs that an email is fake, look out for spoofed email addresses, and abnormal requests other staff members seem to be making through email.
- Look out for telltale signs of spoofing
Email scammers use all kinds of tactics to get you to comply with their requests. These can range from urgent requests/instructions to transfer money as a way to get you to act quickly and without thinking, or even asking for access to confidential information for a ’secret project’ that the higher-ups aren’t ready to share with you yet. These are serious red flags, and you need to double and triple-check before taking any action at all.
- Get protected with DMARC
The easiest way to prevent a phishing scam is to never even receive the email in the first place. DMARC is an email authentication protocol that verifies emails coming from your domain before delivering them. When you enforce DMARC on your domain, any attacker impersonating someone from your own organization will be detected as an unauthorized sender, and their email will be blocked from your inbox. You don’t have to deal with spoofed emails at all.
- Get explicit approval for wire transfers
This is one of the easiest and most straightforward ways to prevent money transfers to the wrong people. Before committing to any transaction, make it compulsory to seek explicit approval from the person requesting money using another channel besides email. For larger wire transfers, make it mandatory to receive verbal confirmation.
- Flag emails with similar extensions
The FBI recommends that your organization creates system rules that automatically flag emails that use extensions too similar to your own. For example, if your company uses ‘123-business.com’, the system could detect and flag emails using extensions like ‘123_business.com’.
- Purchase similar domain names
Attackers often use similar-looking domain names to send phishing emails. For example, if your organization has a lowercase ‘i’ in its name, they might use an uppercase ‘I’, or replace the letter ‘E’ with the number ‘3’. Doing this will help you lower your chances of someone using an extremely similar domain name to send you emails.